Bug 1902687 (CVE-2020-8285)

Summary: CVE-2020-8285 curl: Malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, andrew.slice, anharris, blpowers, bniver, bodavis, cmoore, csutherl, dbhole, erik-fedora, flucifre, gmeno, gzaronik, hhorak, hvyas, jclere, jorton, jwon, kanderso, kaycoth, kdudka, krathod, kwalsh, luhliari, mbabacek, mbenjamin, mhackett, mike, mjg, msekleta, mturk, omajid, paul, pjindal, rakesh.pandit, rwagner, security-response-team, sostapov, svashisht, vereddy, walter.pete
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
See Also: https://issues.redhat.com/browse/JBCS-1045
Whiteboard:
Fixed In Version: curl 7.74.0 Doc Type: If docs needed, set a value
Doc Text:
Libcurl offers a wildcard matching functionality, which allows a callback (set with `CURLOPT_CHUNK_BGN_FUNCTION`) to return information back to libcurl on how to handle a specific entry in a directory when libcurl iterates over a list of all available entries. When this callback returns `CURL_CHUNK_BGN_FUNC_SKIP`, to tell libcurl to not deal with that file, the internal function in libcurl then calls itself recursively to handle the next directory entry. If there's a sufficient amount of file entries and if the callback returns "skip" enough number of times, libcurl runs out of stack space. The exact amount will of course vary with platforms, compilers and other environmental factors.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 20:37:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1905124, 1905126, 1902889, 1902890, 1905123, 1906110, 1906112, 1906114, 1906116    
Bug Blocks: 1902669    

Description Marian Rehak 2020-11-30 12:21:34 UTC
libcurl offers a wildcard matching functionality, which allows a callback (set with `CURLOPT_CHUNK_BGN_FUNCTION`) to return information back to libcurl on how to handle a specific entry in a directory when libcurl iterates over a list of all available entries. When this callback returns `CURL_CHUNK_BGN_FUNC_SKIP`, to tell libcurl to not deal with that file, the internal function in libcurl then calls itself recursively to handle the next directory entry. If there's a sufficient amount of file entries and if the callback returns "skip" enough number of times, libcurl runs out of stack space. The exact amount will of course vary with platforms, compilers and other environmental factors.

Comment 2 Todd Cullum 2020-11-30 22:39:12 UTC
Flaw summary:

A malicious server whose filesystem is configured in a crafted way, could crash an application using libcurl as a dependency, by causing a stack overflow via uncontrolled recursion. This could result in a temporary denial of service.

Note that the curl program itself is not affected, as it does not use the affected functionality of libcurl.

Comment 3 Todd Cullum 2020-11-30 22:42:34 UTC
Mitigation:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Comment 10 Guilherme de Almeida Suckevicz 2020-12-09 17:19:01 UTC
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1906110]


Created flickcurl tracking bugs for this issue:

Affects: epel-7 [bug 1906116]
Affects: fedora-all [bug 1906114]


Created mingw-curl tracking bugs for this issue:

Affects: fedora-all [bug 1906112]

Comment 11 Todd Cullum 2020-12-09 18:51:03 UTC
Acknowledgments:

Name: Varnavas Papaioannou

Comment 12 Todd Cullum 2020-12-09 18:53:18 UTC
External References:

https://github.com/curl/curl/issues/6255
https://curl.se/docs/CVE-2020-8285.html

Comment 13 Tomas Hoger 2021-04-07 08:03:20 UTC
Upstream commit:

https://github.com/curl/curl/commit/69a358f2186e04

Comment 14 errata-xmlrpc 2021-05-18 13:40:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1610 https://access.redhat.com/errata/RHSA-2021:1610

Comment 15 Product Security DevOps Team 2021-05-18 20:37:31 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8285

Comment 17 errata-xmlrpc 2021-06-17 11:35:31 UTC
This issue has been addressed in the following products:

  JBoss Core Services Apache HTTP Server 2.4.37 SP8

Via RHSA-2021:2471 https://access.redhat.com/errata/RHSA-2021:2471

Comment 18 errata-xmlrpc 2021-06-17 11:45:23 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2021:2472 https://access.redhat.com/errata/RHSA-2021:2472